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DETAILED ACTION 
Status of Claims 

1 . This action is responsive to amendment filed on December 27, 2007, where applicant 
amended claims 1,2,11,13,14,19,23,25,26,27,28,31,33,34 and cancelled claims 
5,6,8,17,18,29,30,32. Claims 1-4,7,9-11,13-16,19-23,25-28,31 and 33-34 are pending. 

Response to Arguments 

2. Applicant's arguments, filed 12/27/2007, with respect to the rejection(s) of claim(s) 1- 
4,7,9-1 1,13-16,19-23,25-28,31 and 33-34 have been fully considered and are persuasive. The 
previous rejection has been withdrawn. However, upon further consideration, a new ground(s) 
of rejection is made in view of Tarquini et al (US Patent Publication No 2003/0101353), as 
outlined below. Applicants arguments are therefore moot in view of the new grounds of 
rejection. 

3. Previous claim objections, 101 rejections and 1 12 rejections are withdrawn. 

Claim Rejections - 35 USC §103 

4. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 
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5. Claims 1,3-11,13,15-23,25 and 27-34 rejected under 35 U.S.C. 103(a) as being 
unpatentable over Tarquini et al (US Patent Publication No 2003/0101353) in view of 
Copeland (US Patent No 7,185,368). 

6. In reference to claim 1 , Tarquini teaches a method of detecting an intrusion in a 
communications network, the method comprising the steps of: 

scanning data packets by a first computer system to which the data packets are directed, 
wherein the scanning includes the computer system processing the packets by a transport layer of 
a network protocol associated with said communications network using signatures from a 
repository of said signatures flf 30 lines 25-30); 

determining if said scanned data packets are malicious fl| 30 lines 30-32); and 
taking at least one action if any of the data packets are determined to be malicious flf 30 
lines 30-32), 

to provide a queue for data from the data packets to a first application on the first 
computer system, wherein the scanning of the respective data packets occurs before the first 
application receives the data from the respective data packets (Figure 6 and middle of Tf 38 and |s 
39-40, Tarquini discloses queuing data through a network stack for performing intrusion 
prevention at each network layer). 

Tarquini fails to explicitly teach the limitations wherein at least one application receive 
queue (ARQ) functions intermediate said transport layer and an application layer of the first 
computer system provides the queue for data, and wherein said scanning step is selected from the 
group consisting of: scanning between said transport layer and said at least one ARQ; and 
scanning the data packets from said at least one ARQ. However, Holland teaches host-based 
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monitoring of a network protocol stack (column 5 lines 23-45). Holland discloses monitoring via 
queues intermediate application and transport layers for providing and scanning data for 
intrusion detection, and further discloses scanning between the TCP layer (Figure 4 and column 
6 lines 35-61). 

It would have been obvious for one of ordinary skill in the art to modify Tarquini wherein 
at least one application receive queue (ARQ) functions intermediate said transport layer and an 
application layer of the first computer system provides the queue for data, and wherein said 
scanning step is selected from the group consisting of: scanning between said transport layer and 
said at least one ARQ; and scanning the data packets from said at least one ARQ as per the 
teachings of Holland for the purpose of implementing intrusion detection on the network 
protocol stack level. 

7. In reference to claim 3, Tarquini teaches the method according to claims, further 
comprising the step of transmitting to said application layer any data packets determined not to 
be malicious fl[ 40-41). 

8. In reference to claim 4, Tarquini teaches the method according to claim 1, wherein said 
scanning and determining steps are implemented using a scan module (]f 40-41). 

9. In reference to claim 7, Tarquini teaches the method according to claim 6, further 
comprising the step of obtaining data from said at least one application receive queue (ARQ) 
(Holland, Figure 4 and column 6 lines 35-61, see rationale for claim 1 above). 

10. In reference to claim 9, Tarquini teaches the method according to claim 1, further 
comprising the step of dispatching said data packets to one or more handlers for scanning, if said 
protocol is monitored flf 40-41). 
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11. In reference to claim 1 0, Tarquini teaches the method according to claim 1 , wherein said 
scanning and determining steps are implemented using a scan daemon flf 40-41). 

12. In reference to claims 13,15,16,19-22, these claims are system claims that correspond to 
the method claims of claims 1,3,4,7,9,10. Therefore, claims 13,15,16,19-22 are rejected based 
upon the same rationale as given for claims 1,3,4,7,9,10 above. 

13. In reference to claims 25,27,28,31,33, these claims are product claims that correspond to 
the method claims of claims 1,3,4,7,9,10. Therefore, claims 25,27,28,31,33 are rejected based 
upon the same rationale as given for claims 1 ,3,4,7,9, 1 0 above. 

14. Claims 2,14,26 rejected under 35 U.S.C. 103(a) as being unpatentable over Tarquini 
et al (US Patent Publication No 2003/0101353) in view of Copeland (US Patent No 
7,185,368). 

In reference to claims 2,14,26, Tarquini teaches the corresponding method, system, and 
product according to claims 1,13,25 respectively, wherein said at least one action is selected 
from the group consisting of: 

interrupting transmission of any data packets determined to be malicious to said 
application layer of said network protocol, wherein the interrupting is performed prior to the 
first application processing the malicious data packets; logging of errors related to any data 
packets determined to be malicious flf 41); 
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informing a network administrator any data packets are determined to be malicious; 
intimating said transport layer terminate an existing connection related to any data packets 
determined to be malicious flf 48); 

blocking network access to a source of any data packets determined to be malicious; 
terminating an application of an application layer if any data packets are determined to be 
malicious; and notifying an application of an application layer if any data packets are 
determined to be malicious fl|s 40-41). 

Tarquini fails to explicitly teach modifying firewall rules of a host computer if any data 
packets are determined to be malicious. However, Copeland discloses an intrusion detection 
system that modifies a firewalls behavior by configuring the firewall to drop packets it finds to 
be malicious for the purpose of protecting a network from the harmful effects of a network 
intrusion (column 19 lines 20-30 & column 22 lines 40-48). 

It would have been obvious for one of ordinary skill in the art to modify Vaidya by 
modifying firewall rules of a host computer if any data packets are determined to be malicious 
as per the teachings of Copeland for the purpose of protecting a network from the harmful 
effects of a network intrusion. 

15. Claims 11,23,34 rejected under 35 U.S.C. 103(a) as being unpatentable over 
Tarquini et al (US Patent Publication No 2003/0101353) in view of Triulzi et al (US Patent 
Publication No 2004/0117478). 

16. In reference to claims 1 1,23,34, Tarquini teaches the corresponding method, system, and 
product according to claims 1,13,25 respectively. Tarquini fails to explicitly teach, further 
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comprising the step of the target computer system generating fake network accessible services. 
However, Triulzi discloses that generation of fake network data and services for the purpose of 
detecting and analyzing network attacks (% 67 and 133). It would have been obvious for one of 
ordinary skill in that art to modify Tarquini to further comprise the step of the target computer 
system generating fake network accessible services as per the teachings of Triulzi for the purpose 
of detecting and analyzing network attacks. 

Conclusion 

17. The above rejections are based upon the broadest reasonable interpretation of the claims. 
Applicant is advised that the specified citations of the relied upon prior art, in the above 
rejections, are only representative of the teachings of the prior art, and that any other supportive 
sections within the entirety of the reference (including any figures, incorporation by references, 
claims and/or priority documents) is implied as being applied to teach the scope of the claims. 

18. The prior art made of record and not relied upon is considered pertinent to applicant's 

disclosure. See attached Form 892. 

19. Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). 
Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1 .136(a) will be calculated from the mailing date of the advisory action. In no event, 
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however, will the statutory period for reply expire later than SIX MONTHS from the date of this 
final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to RAMY M. OSMAN whose telephone number is (571)272-4008. 
The examiner can normally be reached on M-F 9-5. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ario Etienne can be reached on (571) 272-4001 . The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

RMO 

March 26, 2008 
/Ario Etienne/ 

Supervisory Patent Examiner, Art Unit 2157 



